1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Implementation of NtMapViewOfSection intercept for 32 bit builds.
7 // TODO(robertshield): Implement the 64 bit intercept.
9 #include "chrome_elf/blacklist/blacklist_interceptions.h"
14 // Note that only #includes from base that are either header-only or built into
15 // base_static (see base/base.gyp) are allowed here.
16 #include "base/basictypes.h"
17 #include "base/strings/string16.h"
18 #include "base/win/pe_image.h"
19 #include "chrome_elf/blacklist/blacklist.h"
20 #include "sandbox/win/src/internal_types.h"
21 #include "sandbox/win/src/nt_internals.h"
22 #include "sandbox/win/src/sandbox_nt_util.h"
23 #include "sandbox/win/src/sandbox_types.h"
27 NtQuerySectionFunction g_nt_query_section_func
= NULL
;
28 NtQueryVirtualMemoryFunction g_nt_query_virtual_memory_func
= NULL
;
29 NtUnmapViewOfSectionFunction g_nt_unmap_view_of_section_func
= NULL
;
31 // TODO(robertshield): Merge with ntdll exports cache.
32 FARPROC
GetNtDllExportByName(const char* export_name
) {
33 HMODULE ntdll
= ::GetModuleHandle(sandbox::kNtdllName
);
34 return ::GetProcAddress(ntdll
, export_name
);
37 bool DllMatch(const base::string16
& module_name
) {
38 for (int i
= 0; i
< blacklist::g_troublesome_dlls_cur_index
; ++i
) {
39 if (module_name
== blacklist::g_troublesome_dlls
[i
])
45 // TODO(robertshield): Some of the helper functions below overlap somewhat with
46 // code in sandbox_nt_util.cc. See if they can be unified.
48 // Native reimplementation of PSAPIs GetMappedFileName.
49 base::string16
GetBackingModuleFilePath(PVOID address
) {
50 DCHECK_NT(g_nt_query_virtual_memory_func
);
52 // We'll start with something close to max_path characters for the name.
53 ULONG buffer_bytes
= MAX_PATH
* 2;
54 std::vector
<BYTE
> buffer_data(buffer_bytes
);
57 MEMORY_SECTION_NAME
* section_name
=
58 reinterpret_cast<MEMORY_SECTION_NAME
*>(&buffer_data
[0]);
64 NTSTATUS ret
= g_nt_query_virtual_memory_func(
65 NtCurrentProcess
, address
, MemorySectionName
, section_name
,
66 buffer_bytes
, &returned_bytes
);
68 if (STATUS_BUFFER_OVERFLOW
== ret
) {
69 // Retry the call with the given buffer size.
70 buffer_bytes
= returned_bytes
+ 1;
71 buffer_data
.resize(buffer_bytes
);
78 UNICODE_STRING
* section_string
=
79 reinterpret_cast<UNICODE_STRING
*>(section_name
);
80 return base::string16(section_string
->Buffer
,
81 section_string
->Length
/ sizeof(wchar_t));
84 return base::string16();
87 bool IsModuleValidImageSection(HANDLE section
,
89 PLARGE_INTEGER offset
,
91 DCHECK_NT(g_nt_query_section_func
);
93 if (!section
|| !base
|| !view_size
|| offset
)
96 SECTION_BASIC_INFORMATION basic_info
;
97 SIZE_T bytes_returned
;
98 NTSTATUS ret
= g_nt_query_section_func(section
, SectionBasicInformation
,
99 &basic_info
, sizeof(basic_info
),
102 if (!NT_SUCCESS(ret
) || sizeof(basic_info
) != bytes_returned
)
105 if (!(basic_info
.Attributes
& SEC_IMAGE
))
111 base::string16
ExtractLoadedModuleName(const base::string16
& module_path
) {
112 if (module_path
.empty() || module_path
[module_path
.size() - 1] == L
'\\')
113 return base::string16();
115 size_t sep
= module_path
.find_last_of(L
'\\');
116 if (sep
== base::string16::npos
)
119 return module_path
.substr(sep
+1);
122 // Fills |out_name| with the image name from the given |pe| image and |flags|
123 // with additional info about the image.
124 void SafeGetImageInfo(const base::win::PEImage
& pe
,
125 std::string
* out_name
,
128 out_name
->reserve(MAX_PATH
);
131 if (pe
.VerifyMagic()) {
132 *flags
|= sandbox::MODULE_IS_PE_IMAGE
;
134 PIMAGE_EXPORT_DIRECTORY exports
= pe
.GetExportDirectory();
136 const char* image_name
= reinterpret_cast<const char*>(
137 pe
.RVAToAddr(exports
->Name
));
139 for (; i
< MAX_PATH
&& *image_name
; ++i
, ++image_name
)
140 out_name
->push_back(*image_name
);
143 PIMAGE_NT_HEADERS headers
= pe
.GetNTHeaders();
145 if (headers
->OptionalHeader
.AddressOfEntryPoint
)
146 *flags
|= sandbox::MODULE_HAS_ENTRY_POINT
;
147 if (headers
->OptionalHeader
.SizeOfCode
)
148 *flags
|= sandbox::MODULE_HAS_CODE
;
151 } __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION
?
152 EXCEPTION_EXECUTE_HANDLER
: EXCEPTION_CONTINUE_SEARCH
) {
157 base::string16
GetImageInfoFromLoadedModule(HMODULE module
, uint32
* flags
) {
158 std::string out_name
;
159 base::win::PEImage
pe(module
);
160 SafeGetImageInfo(pe
, &out_name
, flags
);
161 return base::string16(out_name
.begin(), out_name
.end());
166 namespace blacklist
{
168 bool InitializeInterceptImports() {
169 g_nt_query_section_func
= reinterpret_cast<NtQuerySectionFunction
>(
170 GetNtDllExportByName("NtQuerySection"));
171 g_nt_query_virtual_memory_func
=
172 reinterpret_cast<NtQueryVirtualMemoryFunction
>(
173 GetNtDllExportByName("NtQueryVirtualMemory"));
174 g_nt_unmap_view_of_section_func
=
175 reinterpret_cast<NtUnmapViewOfSectionFunction
>(
176 GetNtDllExportByName("NtUnmapViewOfSection"));
178 return g_nt_query_section_func
&& g_nt_query_virtual_memory_func
&&
179 g_nt_unmap_view_of_section_func
;
182 SANDBOX_INTERCEPT NTSTATUS WINAPI
BlNtMapViewOfSection(
183 NtMapViewOfSectionFunction orig_MapViewOfSection
,
189 PLARGE_INTEGER offset
,
191 SECTION_INHERIT inherit
,
192 ULONG allocation_type
,
194 NTSTATUS ret
= orig_MapViewOfSection(section
, process
, base
, zero_bits
,
195 commit_size
, offset
, view_size
, inherit
,
196 allocation_type
, protect
);
198 if (!NT_SUCCESS(ret
) || !sandbox::IsSameProcess(process
) ||
199 !IsModuleValidImageSection(section
, base
, offset
, view_size
)) {
203 HMODULE module
= reinterpret_cast<HMODULE
>(*base
);
207 base::string16
module_name(GetImageInfoFromLoadedModule(
208 reinterpret_cast<HMODULE
>(*base
), &image_flags
));
209 base::string16
file_name(GetBackingModuleFilePath(*base
));
211 if (module_name
.empty() && (image_flags
& sandbox::MODULE_HAS_CODE
)) {
212 // If the module has no exports we retrieve the module name from the
213 // full path of the mapped section.
214 module_name
= ExtractLoadedModuleName(file_name
);
217 if (!module_name
.empty() && DllMatch(module_name
)) {
218 DCHECK_NT(g_nt_unmap_view_of_section_func
);
219 g_nt_unmap_view_of_section_func(process
, *base
);
220 ret
= STATUS_UNSUCCESSFUL
;
227 } // namespace blacklist